CVE-2025-53696 Johnson Controls CVE debrief

Who should care

Organizations using Johnson Controls iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, or iSTAR Edge G2 door controllers for physical access control. Security teams responsible for building automation and physical security infrastructure. Critical infrastructure operators with integrated physical access control systems. Facilities management teams planning lifecycle replacement of aging door controller hardware.

Technical summary

The iSTAR Ultra and Ultra SE door controllers perform firmware signature verification during the boot process, but the verification implementation is incomplete. Certain firmware regions are excluded from the verification check, creating a gap where attacker-modified code could persist and execute. This affects firmware versions 6.9.2 and prior. The vulnerability requires low privileges to exploit over the network (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), with physical access enabling additional attack vectors. Johnson Controls addressed this through firmware updates that expand verification coverage, with version 6.9.8 providing comprehensive protection including physical access scenarios. The advisory notes this vulnerability is related to CVE-2025-53695, CVE-2025-53697, and CVE-2025-53700, with version 6.9.3 initially addressing the cluster of issues.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade iSTAR Ultra and Ultra SE door controllers to firmware version 6.9.8 to address physical access attack scenarios
• If unable to upgrade immediately, apply firmware version 6.9.3 or newer to reduce exploitation risk
• Install control units in restricted access, protected areas per hardware installation manual requirements to lower physical tampering risk
• Disable Pro Mode and use Ultra Mode on iSTAR Ultra and iSTAR Ultra door controllers
• Implement network segmentation and access controls around iSTAR controllers per Dragos recommendations
• Plan migration to newer control units as iSTAR Ultra approaches end-of-service within one year of advisory publication
• Review Johnson Controls Product Security Advisory JCI-PSA-2025-10 for detailed mitigation instructions
• Contact Johnson Controls Trust Center for assistance with remediation planning

Evidence notes

CISA ICS Advisory ICSA-25-224-02 (Update A) documents that firmware verification on boot does not inspect certain firmware portions, allowing potential malicious code in those regions. Johnson Controls released firmware 6.9.3 in 2024 to address CVE-2025-53695 and reduce risk for this vulnerability. Update A (December 16, 2025) added version 6.9.8 as recommended mitigation for physical access attack scenarios.

Official resources